Pete Markowsky

This is not blocked by #744 and probably worth doing around the 2023.10 release.

@eopeter Sadly the FB9535577 is still listed as open. However as of macOS 13, there's a new field on file close events called `was_mapped_writeable` that we're going to look into.

We had some time to look into this on Ventura we noticed that the flag wasn't being populated if the mmap'd region was unmapped. We've opened FB12094635 with Apple about...

Tested this with 13.5. The `was_mapped_writeable` flag is correctly being set on Close events.

This is documented in https://github.com/google/santa/blob/main/docs/concepts/rules.md#rule-evaluation To recap as of 2023.6 the precedence for rules is from (Most Specific to Least Specific): ```mermaid flowchart LR A[SHA256 Rules] --> B[Signing ID Rules]...

Don't we handle this with the `enable_all_event_upload` feature from #800?

Marking this as resolved via #800.

Marking this as closed since it's almost 4 years old. Please feel free to reopen.

Due to changes in macOS I don't believe this is possible any longer. Given that constraint I'm going to close this issue. Please feel free to reopen.

Closing as the issue is 3 years old. This seems very similar to the transitive allow listing discussion in #561.